Error: Failed to get existing workspaces: containers.Client#ListBlobs:

Question

Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:XXX"

I am using azure storage as Terraform backend. It was working fine. I removed a private endpoint for the storage from configuration and did terraform apply. It starts giving me this error. Is there need of Private endpoint for storing Terraform state in Azure storage? Also not sure why got above error. I am unable to do terraform init with this error.

Answer 1

I had the same issue, Terraform was working locally and saving the state file in the storage container but failed with a similar error in AzureDevop using the TerraformTaskV3@3 task:

│ Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch"

So I assigned the Storage Blob Data Contributor role to the service principal I used to connect DevOps to the azure container.

Reference: Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token

Answer 2

I tried in my environment and got below results:

Main

provider  "azurerm" {
features{
resource_group {
prevent_deletion_if_contains_resources  =  false
}
}
}
provider  "azuread" {
}

data  "azurerm_resource_group"  "example" {
name  =  "< Resource group name >"
}
data  "azurerm_storage_account"  "example" {
name  =  "venkat123"
resource_group_name  =  data.azurerm_resource_group.example.name
}
terraform {
backend  "azurerm" {
resource_group_name  =  "< Resource group name >"
storage_account_name  =  "venkat123"
container_name  =  "test"
key  =  "terraform.tfstate"
}
}

Before running the code make sure you have make sure you were logged in with your credentials:

az login --tenant <tenant ID>
az account set --subscription <subscription ID>

Console:

Yes, you can access the storage account without private endpoints.

Portal:

containers.Client#ListBlobs: Failure responding to request:
StatusCode=403 -- Original Error: autorest/azure: Service returned an
error. Status=403 Code="AuthorizationFailure" Message="This request is
not authorized to perform this operation.\nRequestId:XXX"

The above error shows that doesn't has proper permission to authorize the azure blob storage.

Check the firewall settings whether, In networking

• If you are access in public enable the select all network
• If you enabled selected networks add the virtual networks. and add your add your client iP address and also enable "Allow trusted Microsoft services to access this storage account" allows you to access storage account.

• Make sure that you have the necessary permission, such as the Contributor and User Access Administrator roles and the Storage Blob Data Owner role.

Reference: Creating Azure Storage Containers in a storage account with network rules, with Terraform by Ansuman Bal